diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 63b8c5b..4495259 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,8 +26,10 @@ jobs: python: ["3.10", "3.11", "3.12", "3.13", "3.14"] os: ["ubuntu-latest", "ubuntu-24.04-arm", "macos-latest", "macos-15-intel", "windows-2022"] steps: - - uses: actions/checkout@v6 - - uses: astral-sh/setup-uv@v7 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false + - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7 with: python-version: ${{ matrix.python }} - name: Install QEMU and libc diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index e0bd3a1..2fd68bd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,9 +21,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false - - uses: astral-sh/setup-uv@v7 + - uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7 - name: Install solc-select and test dependencies run: uv sync --extra dev @@ -35,4 +37,4 @@ jobs: run: uv run ruff format --check . - name: Run mypy type checking - run: uv run mypy . --config-file pyproject.toml \ No newline at end of file + run: uv run mypy . --config-file pyproject.toml diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index f06f3fa..bf2cbf6 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -12,16 +12,21 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: pip-audit: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false - name: Install Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: "3.x" @@ -34,6 +39,6 @@ jobs: python -m pip install . - name: Run pip-audit - uses: pypa/gh-action-pip-audit@v1.1.0 + uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0 with: virtual-environment: /tmp/pip-audit-env diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a563288..7cdd168 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,16 +4,20 @@ on: release: types: [published] +permissions: + contents: read + jobs: build-release: - runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 + with: + persist-credentials: false - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6 with: python-version: '3.x' @@ -24,7 +28,7 @@ jobs: python -m build - name: Upload distributions - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: solc-select-dists path: dist/ @@ -39,16 +43,16 @@ jobs: - build-release steps: - name: fetch dists - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: name: solc-select-dists path: dist/ - name: publish - uses: pypa/gh-action-pypi-publish@v1.13.0 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - name: sign - uses: sigstore/gh-action-sigstore-python@v3.2.0 + uses: sigstore/gh-action-sigstore-python@a5caf349bc536fbef3668a10ed7f5cd309a4b53d # v3.2.0 with: inputs: ./dist/*.tar.gz ./dist/*.whl release-signing-artifacts: true